CVE-2018-6617

Easy Hosting Control Panel EHCP v0.37.12.b, when using a local MySQL server, allows attackers to change passwords of arbitrary database users by leveraging failure to ask for the current password...

CVE-2018-6362

Easy Hosting Control Panel EHCP v0.37.12.b has XSS via the domainop action parameter, as demonstrated by reading the PHPSESSID cookie...

CVE-2018-6619

Easy Hosting Control Panel EHCP v0.37.12.b makes it easier for attackers to crack database passwords by leveraging use of a weak hashing algorithm without a salt...

idreamsoft iCMS Cross-Site Request Forgery Vulnerability (CNVD-2018-09388)

idreamsoft iCMS is an open source content management system CMS based on PHP and MySQL. A cross-site request forgery vulnerability exists in idreamsoft iCMS version 7.0. A remote attacker can add Column with the help of /admincp.php?app=articlecategory&do=save&frame=iPHP to exploit the...

Easy Hosting Control Panel 0.37.12.b Cross Site Scripting Add FTP Account

Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EHCP-v0.37.12.b-XSS-FTP-BACKDOOR-ACCOUNT.txt + ISR: Apparition Security Greetz: indoushka|Eduardo|Dirty0tis Vendor: ============= www.ehcp.net Product: =========== Easy Hosting Control...

Easy Hosting Control Panel 0.37.12.b Cross Site Request Forgery

Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EHCP-v0.37.12.b-MULTIPLE-CSRF.txt + ISR: Apparition Security Greetz: indoushka|Eduardo|Dirty0tis Vendor: ======== www.ehcp.net Product: ========= Easy Hosting Control Panel v0.37.12.b Ehcp...

Vesta Control Panel Cross-Site Scripting Vulnerability (CNVD-2018-09183)

Vesta Control Panel is an open source web hosting control panel. A cross-site scripting vulnerability exists in Vesta Control Panel version 0.9.8-20. A remote attacker can exploit this vulnerability by sending the 'path' parameter to the view/file/index.php URI to execute PHP code...

CVE-2018-10686

An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $REQUEST'path' to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a fileputcontents call in web/upload/UploadHandler.php...

Cross site scripting

An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $REQUEST'path' to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a fileputcontents call in web/upload/UploadHandler.php...

CVE-2018-10686

An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $REQUEST'path' to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a fileputcontents call in web/upload/UploadHandler.php...

CVE-2018-10686

Vesta Control Panel 0.9.8-20 is affected by a Reflected XSS vulnerability in the view/file/index.php path, exploitable via the $_REQUEST['path'] parameter. The issue can lead to remote PHP code execution through a file_put_contents call in web/upload/UploadHandler.php. This vulnerability is surfa...

CVE-2018-10686

An issue was discovered in Vesta Control Panel 0.9.8-20. There is Reflected XSS via $REQUEST'path' to the view/file/index.php URI, which can lead to remote PHP code execution via vectors involving a fileputcontents call in web/upload/UploadHandler.php...

WordPress WF Cookie Consent 1.1.3 Cross Site Scripting

Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting Date: 23/04/2018 Exploit Author: B0UG Vendor Homepage: http://www.wunderfarm.com/ Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/ Version: Tested on version 1.1.3 older versions may also be...

WF Cookie Consent <= 1.1.3 - Authenticated Persistent Cross-Site Scripting (XSS)

The WF Cookie Consent WordPress plugin was affected by an Authenticated Persistent Cross-Site Scripting XSS security vulnerability. 1 Access WordPress control panel. 2 Navigate to the 'Pages'. 3 Add a new page and insert the script you wish to inject into the page title. 4 Now navigate to...

ExpressionEngine: XML Member Proccessing - Local File inclusion Vulnerability

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

Interspire Email Marketer &lt; 6.1.6 - Remote Admin Authentication Bypass

''' Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass Google Dork: intitle:"Control Panel" + emailmarketer Date: 4-22-18 Exploit Author: devcoinfet Vendor Homepage: www.interspire.com/emailmarketer Software Link: Can't legally provide link but can be found on net...

ExpressionEngine: Import File Converter - local File inclusion

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

CVE-2018-10250

iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a weixincategory action, aka a WeChat Classified Management keyword search...

ExpressionEngine: [EE] change the author of post using the author_id

@flex0geek discovered that users with permission to edit entries in the control panel could manipulate the form or POST submission and set an invalid author as the author of that entry. @flex0geek gave a detailed report with step-by-step instructions for replicating and screen captures of a their...

Cross site request forgery (csrf)

An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request...